Guest

Preview Tool

Cisco Bug: CSCup83001 - Cisco Secure Desktop Cache Cleaner Command Execution Vulnerability

Last Modified

Feb 19, 2016

Products (1)

  • Cisco Secure Desktop

Known Affected Releases

3.5(841)

Description (partial)

Symptom:
A vulnerability in a Cisco-signed Java Archive (JAR) executable Cache Cleaner component of Cisco Secure Desktop could allow an unauthenticated, remote attacker to execute arbitrary commands on the client host where the affected .jar file is executed. Command execution would occur with the privileges of the user.

The Cache Cleaner feature has been deprecated since November 2012.

There is no fixed software for this vulnerability. Cisco Secure Desktop packages that includes the affected .jar files have been removed and are not anymore available for download.

Because Cisco does not control all existing Cisco Secure Desktop packages customers are advised to ensure to ensure that their Java blacklists controls have been updated to avoid potential exploitation. Refer to the "Workarounds" section of this advisory for additional information on how to mitigate this vulnerability.

Customers using Cisco Secure Desktop should migrate to Cisco Host Scan standalone package.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150415-csd

Conditions:
See published Cisco Security Advisory
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.